Local councils are at serious risk of cyberattacks. Providing essential services across the country, councils have experienced rising numbers of breaches as increasing digitalisation has expanded the attack surface available for exploitation by bad actors. In fact, UK councils suffered 10,000 attempted cyberattacks every day in the first half of 2022.
The attack on Gloucester Council in December 2021 is a prime example of how much damage can be inflicted by a successful cyberattack and the long-lasting impact of the disruption caused – systems still weren’t fully operational eight months later. The good news, however, is that improving cybersecurity and mitigating against attacks does not have to be complex nor costly. But what is key for councils is to fully engage in the process and go beyond minimum requirements where possible.
Establishing the essentials
As vital public bodies, local councils are under particular pressure to demonstrate the strength of their cybersecurity via a regular, legally required IT Health Check (ITHC), as set out by the National Cyber Security Centre (NCSC). A full ITHC is a crucial part of a security strategy as it reviews and provides assurance over the security of key infrastructure systems and services. However, there is a tendency for the process to be treated like a tick-box exercise.
Local councils often lack sufficient in-house cybersecurity expertise and operate on extremely tight budgets, meaning it can be difficult to dedicate the time and resources necessary to go beyond the ITHC and adopt best practice across the organisation. However, there are a number of measures that can help strengthen councils’ cybersecurity strategies and ensure more holistic protection.
For Wiltshire Council, this meant engaging with a new testing partner that was part of the CHECK scheme. Choosing to work with an experienced third party helps councils identify areas to include in the ITHC to exceed the NCSC guidelines and improve on results from previous years. This was a key aim for Wiltshire, as a forward-thinking and innovative council with a vision to build stronger communities with core values that underpin what it does daily.
Both internal and external testing was conducted to evaluate Wiltshire Council’s IT posture and understand any potential security gaps. Working closely with their security partner throughout the scoping process meant Wiltshire received advice on what should be included in the ITHC on top of the NCSC’s guidelines, going beyond the basics. The council was made aware of what testing was being actioned at each stage of the process, understood what next steps were being taken, and received clear and detailed reporting to outline any vulnerabilities identified.
As a result, Wiltshire Council received approval from the Cabinet Office with no issues or checks needed. Greater detail in their report provided the council with a deeper understanding of any risk exposure, while the IT department was able to set out a remediation plan to address gaps identified.
Proactive protection
In addition to ITHCs, there are numerous proactive measures local councils can implement to further bolster their security posture. Considering a recent report found that phishing attacks are the biggest threat to UK councils, with 75% stating it was the most common threat vector attempted against them, adopting a ‘security-first’ mindset across the whole organisation is crucial. Often non-security personnel can fall into the trap of thinking security isn’t their responsibility. And yet, one staff member clicking one malicious link in a phishing email can be all it takes to launch a successful cyberattack. Councils should therefore be considering regular phishing training and simulations for all staff to help instil the importance of keeping cybersecurity front-of-mind.
Another important element of cybersecurity best practice is maintaining good cyber hygiene. This should comprise elements like strong encryption, privilege access management and multi-factor authentication (MFA) to deepen defences and help prevent a hacker from accessing sensitive information if they gain access to a council’s environment.
Conducting frequent vulnerability scans and penetration testing also helps to go beyond the legal ITHC requirement and provide more holistic protection. These identify any security weaknesses and potentially exploitable vulnerabilities across systems and networks, giving organisations the chance to remediate gaps in their security posture. Because an ITHC only provides a snapshot of a council’s cybersecurity posture at the time it takes place, it’s important to be conducting cyber risk assessments year-round to uncover any other security deficiencies.
Looking ahead
Unfortunately, the threat landscape continues to expand. Hackers are growing in sophistication and all industries are at risk. For local councils who provide essential services 24/7/365, it’s critical to avoid treating cybersecurity as a tick-box exercise, and follow the example set by Wiltshire Council of going beyond the basics and engaging with it as a core element of day-to-day business. While this may initially appear complex and costly, investing in going beyond the bare minimum will prove hugely valuable long-term.
Rick Jones is CEO and co-founder of DigitalXRAID
